CISO insights on building risk-based cybersecurity strategy

Security has always been a contentious topic, and high-profile cyber attacks have only heightened public awareness of the impact of security breaches. With the increase in digital business, cybersecurity strategy has become more than just the domain of security teams. It’s a board-level discussion, and companies are prioritizing security investments to protect their assets and their reputations.

A new study by the IBM Center for Applied Insights, “From checkboxes to frameworks,” highlights a key shift in how Chief Information Security Officers (CISOs) are approaching cybersecurity strategy, moving from compliance to true risk-based programs.

Building on several years of IBM CISO Assessments that highlight pertinent issues in the security realm, this latest report, based on an IBM-sponsored study by the Darwin Deason Institute for Cyber Security at the Southern Methodist University, focuses on how CISOs and security teams are upping their strategy game.

Simply focusing on compliance is not an option for companies anymore. Instead, CISOs are now turning to customized frameworks to overcome the challenges of staying strategic, communicating priorities to the C-suite for investments, and translating cybersecurity strategy into a consumable implementation plan for the organization.

The key takeaway for security leaders? See frameworks in a new light. The study found that tailor-made frameworks, based on industry standards and best practices, have become the tool of choice to prioritize risk and threats. Companies that use customized frameworks are more likely to have a comprehensive understanding of organizational risks, and can select targeted security controls to mitigate them.